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EXAMINER'S AMENDMENT 

1 . An examiner*s amendment to the record appears below. Should the changes 
and/or additions be unacceptable to applicant, an amendment may be filed as provided 
by 37 CFR 1 .312. To ensure consideration of such an amendment, it MUST be 
submitted no later than the payment of the issue fee. 

Authorization for this examiner's amendment was given in a telephone interview 
with Samir A. Bhavsar on 2/15/06. 

2. The application has been amended as follows: 
In claim 1 

"detecting at least one unused or misused operand or operator of the first 
predetermined number of instructions; 

collecting information corresponding to a plurality of registers and/or flags after 
emulating at least one instruction;" 

has been changed to 

"detecting at least one unused or misused operand or operator of the first 
predetermined number of instructions, wherein detecting at least one unused or 
misused operand or operator comprises identifying at least one operand or operator that 
is not used during emulation of the first predetermined number of instructions; 

collecting information after emulating at least one instruction, wherein at least a 
portion of the collected information corresponds to a plurality of registers and/or flags 
and to the at least one detected unused or misused operand or operator; - 
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In claim 7 

"(Currently Amended)" 
has been changed to 
-(Canceled)" 
In claim 8 

"(Currently Amended) The method of claim 1, wherein detecting at least one 
unused or misused operand or operator comprises identifying at least one undefined 
operand or operator used during emulation of the first predetermined number of 
instructions." 

has been changed to 

"(Currently Amended) A method of detecting polymorphic viral code, comprising: 

emulating a first predetermined number of instructions of a computer program; 

detecting at least one unused or misused operand or operator of the first 
predetermined number of instructions, wherein detecting at least one unused or 
misused operand or operator comprises identifying at least one undefined operand or 
operator used during emulation of the first predetermined number of instructions; 

collecting information after emulating at least one instruction, wherein at least a 
portion of the collected information corresponds to a plurality of registers and/or flags 
and to the at least one detected unused or misused operand or operator; and 

determining a probability that the computer program contains polymorphic viral 
code based at least in part on an heuristic analysis of the collected information. — 

In claim 9 
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"detecting at least one unused or misused operand or operator of the selected 
number of instructions; 

collecting information corresponding to a plurality of registers and/or flags after 
emulating at least one instruction;" 

has been changed to 

"detecting at least one unused or misused operand or operator of the selected 
number of instructions, wherein detecting at least one unused or misused operand or 
operator comprises identifying at least one operand or operator that is not used during 
emulation of the selected number of instructions; 

collecting information after emulating at least one instruction, wherein at least a 
portion of the collected information corresponds to a plurality of registers and/or flags 
and to the at least one detected unused or misused operand or operator; - 

In claim 10 

"detecting at least one unused or misused operand or operator of the selected 
number of instructions; 

collecting and storinginformation corresponding to a plurality of registers and/or 
flags after emulating at least one instruction;" 

has been changed to 

"detecting at least one unused or misused operand or operator of the selected 
number of instructions, wherein detecting at least one unused or misused operand or 
operator comprises identifying at least one undefined operand or operator used during 
emulation of the selected number of instructions; 
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collecting and storing information after emulating at least one instnjction, wherein 
at least a portion of the collected information corresponds to a plurality of registers 
and/or flags and to the at least one detected unused or misused operand or operator; - 

In claim 11 

"a second segment including detection code to detect at least one unused or 
misused operand or operator of the selected number of instructions;" 
has been changed to 

-a second segment including detection code to detect at least one unused or 
misused operand or operator of the selected number of instructions, wherein detecting 
at least one unused or misused operand or operator comprises identifying at least one 
operand or operator that is not used during emulation of the selected number of 
instructions;-- 

"a fourth segment including heuristic processor code to determine a probability 
that the computer program contains polymorphic viral code based at least in part on an 
heuristic analysis of the plurality of registers and/or flags." 

has been changed to 
a fourth segment including heuristic processor code to determine a probability 
that the computer program contains polymorphic viral code based at least in part on an 
heuristic analysis of the plurality of registers and/or flags and the at least one detected 
unused or misused operand or operator.- 



Application/Control Number: 09/905,341 Page 6 

Art Unit: 2137 

In claim 12 

"detect at least one unused or misused operand or operator of the first 
predetermined number of instructions;" 
has been changed to 

"detect at least one unused or misused operand or operator of the first 
predetermined number of instructions, wherein detecting at least one unused or 
misused operand or operator comprises identifying at least one undefined operand or 
operator used during emulation of the first predetermined number of instructions;- 

"an heuristic analyzer operable to determine a probability that the computer 
program contains polymorphic viral code based at least in part on an heuristic analysis 
of the plurality of registers and/or flags." 

has been changed to 

-an heuristic analyzer operable to determine a probability that the computer 
program contains polymorphic viral code based at least in part on an heuristic analysis 
of the plurality of registers and/or flags and the at least one detected unused or misused 
operand or operator.-- 

In claim 18 

"The apparatus of claim 12, wherein detecting at least one unused or misused 
operand or operator comprises identifying at least one undefined operand or operator 
used during emulation of the first predetermined number of instructions." 

has been changed to 
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-An apparatus for detecting polymorphic viral code, comprising: 

an emulator operable to emulate a first predetermined number of instructions of a 
computer program; 

an operational code analyzer operable to: 

detect at least one unused or misused operand or operator of the first 
predetermined number of instructions, wherein detecting at least one unused or 
misused operand or operator comprises identifying at least one operand or operator that 
is not used during emulation of the first predetermined number of instructions; and 

analyze a plurality of registers and/or flags accessed during emulation of 
at least one instruction; 

and 

an heuristic analyzer operable to determine a probability that the computer 
program contains polymorphic viral code based at least in part on an heuristic analysis 
of the plurality of registers and/or flags and the at least one detected unused or misused 
operand or operator- 

In claim 19 

"(Currently Amended)" 

has been changed to 

-(Canceled) — 

In claim 25 

"(New) The method of claim 7" 
has been changed to 
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"(Currently Amended) The method of claim 1 — 
In claim 27 

"generate or modifying at least one rule based on at least in part on the 
identification of the polymorphic viral code." 
has been changed to 

-generate or modify at least one rule based on at least in part on the 
identification of the polymorphic viral code.— 
In claim 31 

"(New) The method of claim 16, wherein the heuristic analysis comprises 
comparing the number of time that the register and/or flag was improperly used with 
statistics corresponding to a plurality of polymorphic viral codes." 

has been changed to 

"(Currently Amended) The method of claim 16, wherein the heuristic analysis 
comprises comparing the number of times that the register and/or flag was improperly 
used with statistics corresponding to a plurality of polymorphic viral codes.- 

In claim 33 

"(New) The method of claim 19," 
has been changed to 

-(Currently Amended) The method of claim 12,- 
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Allowable Subject Matter 

3. This action is in response to the communication dated September 15, 2005. 

4. Claims 15, 8-16, 18 and 20-33 are allowed. 

5. The following is an examiner's statement of reasons for allowance: 

The present invention is directed to a method and apparatus for detecting 
polymorphic viral code in a computer program. Each independent claim (claims 1 , 8, 9, 
10, 1 1 , 12 and 18) identifies the uniquely distinct features of identifying at least one 
operand or operator that is not used during emulation of the selected number of 
instructions when detecting at least one unused or misused operand or operator and 
identifying at least one undefined operand or operator used during emulation of the 
selected number of instructions when detecting at least one unused or misused operand 
or operator. The closest prior arts, Nachenberg et al. (5,826.013), (5,964,889) and 
(6,357,008) fail to anticipate or render the above limitations obvious. 

Any comments considered necessary by applicant must be submitted no later 
than the payment of the issue fee and, to avoid processing delays, should preferably 
accompany the issue fee. Such submissions should be clearly labeled "Comments on 
Statement of Reasons for Allowance." 

6. Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Minh Dieu Nguyen whose telephone number is 571-272- 
3873. The examiner can normally be reached on M-F 6:00-2:30. 
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If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Emmanuel Moise can be reached on 571-272-3865. The fax phone number 
for the organization where this application or proceeding is assigned is (571) 273-8300. 

Any inquiry of a general nature or relating to the status of this application or 
proceeding should be directed to the receptionist whose telephone number is 571-272- 



2100. 




MInh Dieu Nguyen 

Examiner 
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